The present invention relates to a relay system in a network.
(Concept of Domain)
A routing domain has hitherto been thought as follows. The routing domain is configured with one or more networks. The routing domain is defined as a range in which a network layer packet managed by one or more routing protocols cooperating with each other is reachable. For example, the Internet is configured by a plurality of networks where a variety of routing protocols function. Therefore, the Internet may be conceived as one routing domain (which will hereinafter simply be referred to as a domain).
A multiplicity of enterprises have been configuring by now intra-organization networks (Intranets) using the Internet technology as company's own information infrastructures. The Intranet needs a Fire Wall provided between the Internet and the Intranet itself in order to keep a confidentiality of the enterprise and to block an interference from outside. The Fire Wall monitors and restricts the communications with the Internet. It is a general practice in the Intranet that pieces of internal routing information in the Intranet are not distributed to the Internet for the reason of security. Further, the Intranet generally uses private addresses because of a deficiency of IPv4 addresses.
The private address is within a category of the Internet address that an office user can use as the user intends. It is, however, inhibited to distribute these pieces of routing information to the Internet. The Intranet using the private addresses is therefore incapable of communicating directly with the Internet. Accordingly, the intranet may be defined as a domain independent of the Internet.
It is required that a NAT ((IP)NetworkAddressTranslation) device be used for the Intranet to communicate with the Internet. The NAT device translates a private address attached to the packet into a global address at a boundary between the two domains in order to let the packet having the private address go through the Internet in which routing is conducted based on the global address.
Further, a router comes to have a NAT function (which will hereinafter be referred to as a NAT router) in order to correspond to a more complicated architecture of the Intranet and more diversified router functions. This type of router is capable of managing two domains.
Under such circumstances, a communication from the domain using the private address (which will hereinafter be called a private address domain) to a domain using the global address (which will hereinafter be called a global address domain), is performed as follows.
Namely, a default route is set so that each of the routers within the private address domain forwards all the packets of which destination addresses are other than within the Intranet to the NAT router. The packets addressed to the global address domain can be thereby sent to a relay system provided at the domain boundary (which will hereinafter be termed a domain boundary relay system).
This domain boundary relay system does not distribute the routing information of the private address domain to the global address domain, and distributes the routing information obtained from the global address domain to the private address domain. With this contrivance, each host (node) in the private address domain is capable of sending the packet addressed to the global address domain to the relay system.
The domain boundary relay system obtains a next hop router within the global address domain from the routing information received from the global address domain (an external router is in fact specified as a default route in the relay system as the case may be). Thus, the domain boundary relay system is capable of routing the packet to an interface directed to the global address domain. At this time, as a matter of fact, the domain boundary relay system translates a packet address before being routed.
The address is translated by a few methods. For instance, at first, the relay system provided at the boundary between the domains pools some global addresses. This domain boundary relay system replaces a source address categorized as a private address of the packet arrived with one of the global addresses pooled (which will hereinafter be called an Alias address).
Next, this domain boundary relay system forwards the packet as if being a source host within the global address domain. At this time, the domain boundary relay system records a mapping of the source address replaced to that Alias address. Then, the domain boundary relay system, when receiving a response traffic with respect to the packet transmitted using alias address, transmits the packet backward to the original source host within the private address domain.
When a response packet to a preceding packet forwarded to the global address domain from the private address domain is returned, the destination address may be conceived as the Alias address. Namely, in the global address domain, the source address of the preceding packet is the Alias address of the relay system. Therefore, the domain boundary relay system refers to the previous address translation table from private address into the global address and vice versa, and is capable of thus translating the packet destination address into a source address of the private address domain. Thus, the domain boundary relay system output the reply packet to the interface connected to the private address domain.
The communications between the two domains can be performed owing to the address translation function described above. In this case, the communication in a forward direction requires a routing table in the destination domain. On the other hand, if the address translation table is set to record the private address and the global address together the interface receiving the forward-streamed packet, the relay system may transfer a backward-streamed packet to its receiving interface. On this occasion, the relay system searches the routing information of the source domain, then determines a next hop router in the private address domain, and transfers the packet to the above interface.
The domain boundary relay system in the prior art has a routing control program that terminates a plurality of routing protocols and only one routing table. Note that the routing table categorized herein is a table to be searched in order to determine an output interface and a next hop router when routing the packet.
The conventional relay system executes management control as to whether or not pieces of routing information obtained by the plurality of routing protocols are mixed with each other. If mixed with each other, however, the prior art relay system writes all pieces of routing information obtained from the plurality of routing protocols to the same routing table. Namely, the relay system provided at the boundary between the private address domain and the global address domain, manages the routing information obtained from the domains within the one single table.
(Example of IP Navigator by Lucent Technologies Corp.)
FIG. 19 shows an outline of processing of IP Navigator by Lucent Technologies Corp. The IP Navigator is a communication program for supporting a plurality of routing tables. The IP Navigator runs on a relay system (which will hereinafter be called a router) that equips MPLS (Multi Protocol Label Switching) protocol as a technology for ISP (Internet Service Provider) network.
This IP Navigator segments an ISP (Internet Service Provider) network into partitions by making an LSP (Label Switch Path) for connecting the routers corresponding to each of the plurality of routing tables in an LSR (Label Switch Router). Then, the IP Navigator aims at providing the office user with each partition as a private network. According to this method, the routing tables are provided to the plurality of domains. This method is, however, incapable of performing the communications between an arbitrary couple of domains through the address translation function.
(Implementation of IPv6 Router)
An IP protocol (Ipversion4 that will hereinafter be abbreviated to IPv4) has been used up to now as a typical network layer protocol. Further, anew version (Ipversion6 abbreviated to IPv6) of the IP protocol comes to an advent to obviate the deficiency of the IP addresses. IPv4 and IPv6 coexist at the present. Generally, the IPv4 domain and the IPv6 domain communicate with each other by use of an address translator. There is a router (such as NR60 manufactured by Hitachi Ltd.) corresponding to these two domains, by which the IPv4 domain having an IPv4 routing table and the IPv6 domain having an IPv6 routing table are communicable with each other by translating the addresses.
This type of router has the plurality of routing tables for the two IPv4 and IPv6 domains, and is capable of performing the communications between the two domains by the address translation. A user is, however, unable to further define a domain in an IP address space and connect the two or more domains as the user intends through the address translation.
(Unidirectional NAT)
FIG. 20 shows an outline of a unidirectional NAT. The unidirectional NAT actualizes the communications under such a condition that the routing information of a domain 1 is unable to be distributed to a domain 2 as with the private address and the global address. The domain 1 can get informed of a route to the domain 2 and is therefore capable of routing the packet addressed to the domain 2.
The NAT device translates a source address of the packet passing therethrough into an Alias address assigned to own interface directed to the domain 2. The NAT device forwards the packet with its address translated to the domain 2, and stores the mapping between the Alias address and the source address before being translated.
With this operation, a receiving host within the domain 2 forwards a response packet toward the Alias address. Namely, the domain 2 is uninformed of the route to the domain 1 but is capable of replying the packet to the translated Alias address of the NAT device.
Further, the NAT device re-forwards the packet received with this Alias address toward the original source address stored on the side of the domain 1 using the mapping between the Alias address and the source address.
In this case, the routing tables of the NAT device are those not separated according to the domain 1 and the domain 2. If the packet addressed to the domain 1 from the domain 2 is received by a forwarding interface, this packet might be forwarded referring to the routing table. Therefore, a packet filter against an unauthorized packet is needed.
(Bidirectional NAT)
FIG. 21 shows an outline of a bidirectional NAT. The bidirectional NAT actualizes the communications under such a condition that neither the domain 1 nor the domain 2 can exchange the routing information with each other. When a host in the domain 1 starts the communication with a host in the domain 2, the host in the domain 1 executes a name resolution by use of DNS (Domain Name System) in advance of the communications.
A resolution request in the domain 1 is sent via a DNS server within the domain 1 and translated by a translation server on the NAT device into a resolution request within the domain 2. When a resolution response is returned from the DNS server in the domain 2, the NAT device sets, in the respective interfaces, the pooled Alias addresses suited to the domain 1 and the domain 2. Then, the NAT device notifies the inquirer host in the domain 1 of the Alias address on the side of this domain 1. The NAT device records a mapping of the resolution address received from the domain 2 to each Alias address.
The source host transmits the packet to the Alias address of the NAT device on the side of the domain 1. The NAT device translates a destination address of the header into an address obtained from the DNS of the domain 2 owing to the resolution response and translates a source address into an Alias address on the side of domain 2 by use of the mapping given above. In this case, there is no problem if the address systems are absolutely different as in the case of IPv4 and IPv6. In an architecture wherein both of the domains are configured as being a part of the IPv4 address space, however, if the NAT device receives a malicious packet with an interface address other than the Alias address, and if the packet filter is not set correctly, the NAT device might forward this packet.
(Application Gateway)
The domains can be also isolated by using an application gateway. FIG. 22 shows an outline of the application gateway.
An application program 40 on the application gateway once terminates the communication from the domain 1, and receives the data. Further, this application program 40 retransmits the data onto the connection on the side of the domain 2. This method involves preparing on the gateway the application program 40 corresponding to an application used by an end host. Moreover, a problem inherent in this method is that the processing is heavy.
(Address Translator Corresponding to Plural Domains)
A router supporting a plurality of domains has been proposed. The conventional router of the type is provided with a single routing table. Further, the router uses the packet filter that blocks packets ruled out of an address translation policy between the domains. This type of router can be utilized in a simple setting. The prior art router becomes, however, intricate in processing if there are a multiplicity of management domains. Further, it is required that a judgement about the inter-domain communications be made with respect to all the packets.
(Problems)
According to an address translation algorithm such as the NAT etc, the router performs a forward-streamed packet transfer by searching the routing table after executing the address translation process. The router sets the packet filter with respect to the packet's source/destination addresses, thereby judging whether the packet should be routed or not. On the other hand, the router behaves as if being a source host for the global address domain with respect to backward-streamed packets. Then, the router as an end host terminates the packet addressed to the global address pooled in the router.
Similarly, the router judges whether or not a packet addressed to the private address domain and arrived from the global address domain should be routed between the domains through the packet filter. Therefore, if a malicious packet addressed to the private address domain arrives at the router, and if the packet filter is not correctly set, the router refers to only one routing table and might forward this malicious packet to the private address domain. This implies a possibility in which a multiplicity of unknown packets are to be unexpectedly received from the Internet, and might turn out to be a security hole.
Moreover, it is assumed in the router capable of connecting the plurality of domains that each domain takes the same private address space. In this case, if the router writes the routing information obtained from the respective domains to one single routing table, contradictions occur in the routing table.
To obviate the problem described above, the packet filter can restrict the packet from the global address domain not to be forwarded. If the number of domains that can be managed increases, however, the setting becomes complicated.
For example, the packet filter is capable of restricting the packet routing, wherein an input interface, and output interface, a source address, a destination address, a L4 (Layer 4) port number etc are available as keys. If the multiplicity of domains are connected by a router having the multiplicity of interfaces, it is troublesome to set a filtering condition for every couple of domains. Further, the router having such an architecture contains a possibility in which a mistake in setting might be induced. Moreover, this kind of complicated filtering process becomes a burden for the router, with the result that a high-speed routing process is hard to take place.